Reporting

Cisco Identity Services Engine (ISE) reports are used with monitoring and troubleshooting features to analyze trends, and, monitor system performance and network activities from a central location. For more information, see Chapter26, “Monitoring and Troubleshooting”

This chapter explains the types of reports that are available in Cisco ISE. It also discusses the various ways that you can use report data, and organize it for more effective use.

Cisco ISE Reports

Cisco ISE collects log and configuration data from across the network. It then aggregates the data into reports for you to view and analyze. Cisco ISE provides a standard set of predefined reports that you can use and customize to fit your needs.

Cisco ISE reports are preconfigured and e grouped into logical categories with information related to authentication, session traffic, device administration, configuration and administration, and troubleshooting. For a complete list of Cisco ISE reports, see Available Reports.

Reports Navigation

You can get detailed information from the reports output. For example, if you have generated a report for a period of five months, the graph and table will list the aggregate data for the report in a scale of months.

You can click a particular value from the table to see another report related to this particular field. For example, an authentication summary report will display the failed count for the user or user group. When you click the failed count, an authentication summary report is opened for that particular failed count.

Exporting Reports

You can export report data to an Excel spreadsheet as a comma-separated values (.csv) file. After you export the data, you will receive an email detailing the location of the report.

Note You can export report data to a.csv format only by using the Primary PAP nodes.

Step 2 Click Export in the top right-hand corner of the report summary page.

Step 3 Specify the data columns that you want to export.

Step 4 Choose a repository from the drop-down list.

Step 5 Click Export.

Note To view the non-English characters correctly after exporting a report, you must import the file into Microsoft Excel by enabling UTF-8 character encoding. If you choose to open the exported.csv file directly in Microsoft Excel without enabling UTF-8 character encoding, the non-English characters in the report appear in some garbage form.

Step 2 Click Save As in the top right-hand corner of the report summary page.

Step 3 Choose Report or Scheduled Report.

Step 4 Enter the required details in the dialog box.

Step 5 Click Save as New.

You cannot schedule the following reports:

Authentication Summary

Health Summary

RBACL Drop Summary

Guest Sponsor summary

End point Profile Changes

Network Device Session Status

Adding Favorite Reports

You can add preconfigured system reports to your favorites list, as well as reports that you have customized.

You can add reports that you use frequently to a list of favorites to make them easier to find, similar to how you bookmark favorite websites in a browser. You can view and edit the parameters of your favorite reports, and then save the customized reports for reuse.

Note Every administrator account is assigned one or more administrative roles. Depending on the roles that are assigned to your account, you may not be able to perform the tasks that are described in this section.

Step 2 Click Favorite in the top right-hand corner of the report summary page.

The report appears in your Favorites list.

Note You can add preconfigured system reports to your favorites list only by using the Primary PAP nodes.

Cisco ISE Active RADIUS Sessions

Cisco ISE provides a dynamic Change of Authorization (CoA) feature for the Live Sessions that allows you to dynamically control active RADIUS sessions. You can send reauthenticate or disconnect requests to a Network Access Device (NAD) to perform the following tasks:

Troubleshoot issues related to authentication—You can use the Session reauthentication option to follow up with an attempt to reauthenticate again. However, you must not use this option to restrict access. To restrict access, use the shutdown option.

Block a problematic host—You can use the Session termination with port shutdown option to block an infected host that sends a lot of traffic over the network. However, the RADIUS protocol does not currently support a method for re-enabling a port that has been shut down.

Force endpoints to reacquire IP addresses—You can use the Session termination with port bounce option for endpoints that do not have a supplicant or client to generate a DHCP request after a VLAN change.

Push an updated authorization policy to an endpoint—You can use the Session reauthentication option to enforce an updated policy configuration, such as a change in the authorization policy on existing sessions based on the discretion of the administrator. For example, if posture validation is enabled, when an endpoint gains access initially, it is usually quarantined. After the identity and posture of the endpoint are known, it is possible to send the Session reauthentication command to the endpoint for the endpoint to acquire the actual authorization policy based on its posture.

For CoA commands to be understood by the device, it is important that you configure the options appropriately.

For CoA to work properly, you must configure the shared secret of each device that requires a dynamic change of authorization. Cisco ISE uses the shared secret configuration to request access from the device and issue CoA commands to it. For more information, see Chapter15, “Managing Users and External Identity Sources”

Note In this release of Cisco ISE, the maximum number of active authenticated endpoint sessions that can be displayed is limited to 100,000.

Changing Authorization for RADIUS Sessions

Some Network Access Devices on your network may not send an Accounting Stop or Accounting Off packet after a reload. As a result, you might find two sessions in the Session Directory reports, one which has expired.

To dynamically change the authorization of an active RADIUS session or disconnect an active RADIUS session, be sure to choose the most recent session.

Step 1 Choose Operations > Authentications.

Step 2 Switch the view to Show Live Session.

Step 3 Click the CoA link for the RADIUS session that you want to issue CoA and choose one of the following options:

Note For Inline Posture nodes and where wireless LAN controllers (WLC) are in use, only two options are available: Session reauthentication and Session termination.

SAnet Session Query— Use this to query information about sessions from SAnet supported devices.

Session reauthentication —Reauthenticate session.

Session reauthentication with last —Use the last successful authentication method for this session.

Session reauthentication with rerun —Run through the configured authentication method from the beginning.

NoteSession reauthentication with last and Session reauthentication with rerun options are not currently supported in Cisco IOS software.

Session termination —Just end the session. The switch reauthenticates the client in a different session.

Session termination with port bounce —Terminate the session and restart the port.

Session termination with port shutdown —Terminate the session and shutdown the port.

Step 4 Click Run to issue CoA with the selected reauthenticate or terminate option.

Available Reports

The following table lists the preconfigured reports, grouped according to their category. Descriptions of the report functionality and logging category are also provided.

Table 27-1 Available Reports

Report Name

Description

Logging Category

Auth Services Status

AAA Diagnostics

The AAA Diagnostics report provides details of all network sessions between Cisco ISE and users. If users cannot access the network, you can review this report to identify trends and identify whether the issue is isolated to a particular user or indicative of a more widespread problem.

This report requires that you first enable several diagnostic logging categories. Collecting these logs can negatively impact Cisco ISE performance. So, these categories are not enabled by default, and you should enable them just long enough to collect the data. Otherwise, they are automatically disabled after 30 minutes.

The RADIUS Authentications report enables you to review the history of authentication failures and successes. If users cannot access the network, you can review the details in this report to identify possible causes.

The RADIUS Accounting report identifies how long users have been on the network. If users are losing network access, you can use this report to identify whether Cisco ISE is the cause of the network connectivity issues.

The Authentication Summary report is based on the RADIUS authentications. It enables you to identify the most common authentications and the reason for any authentication failures. For example, if one Cisco ISE server is handling significantly more authentications than others, you might want to reassign users to different Cisco ISE servers to better balance the load.

Note As the Authentication Summary report or dashboard collects and displays the latest data corresponding to failed or passed authentications, the contents of the report appear after a delay of a few minutes.

—

OCSP Monitoring

The OCSP Monitoring Report specifies the status of the Online Certificate Status Protocol (OCSP) services. It identifies whether Cisco ISE can successfully contact a certificate server and provides certificate status auditing. Provides a summary of all the OCSP certificate validation operations performed by Cisco ISE.

The Internal Administrator Summary report enables you to verify the entitlement of administrator users. From this report, you can also access the Administrator Logins and Change Configuration Audit reports, which enables you to view these details for each administrator.

—

Change Configuration Audit

The Change Configuration Audit report provides details about configuration changes within a specified time period. If you need to troubleshoot a feature, this report can help you determine if a recent configuration change contributed to the problem.

The System Diagnostic report provides details about the status of the Cisco ISE nodes. If a Cisco ISE node is unable to register, you can review this report to troubleshoot the issue.

This report requires that you first enable several diagnostic logging categories. Collecting these logs can negatively impact Cisco ISE performance. So, these categories are not enabled by default, and you should enable them just long enough to collect the data. Otherwise, they are automatically disabled after 30 minutes.

The Health Summary report provides details similar to the Dashboard. However, the Dashboard only displays data for the past 24 hours, and you can review more historical data using this report.

You can evaluate this data to see consistent patterns in data. For example, you would expect heavier CPU usage when most employees start their work days. If you see inconsistencies in these trends, you can identify potential problems.

—

Network Device Session Status

The Network Device Session Status Summary report enables you to display the switch configuration without logging into the switch directly.

Cisco ISE accesses these details using an SNMP query and requires that your network devices are configured with SNMP v1/v2c.

If a user is experiencing network issues, this report can help you identify if the issue is related to the switch configuration rather than with Cisco ISE.

—

Data Purging Audit

The Data Purging Audit report records when the logging data is purged.

This report reflects two sources of data purging.

At 4AM daily, Cisco ISE checks whether there are any logging files that meet the criteria you have set on the Administration > Maintenance > Data Purging page. If so, the files are deleted and recorded in this report. Additionally, Cisco ISE continually maintains a maximum of 80% used storage space for the log files. Every hour, Cisco ISE verifies this percentage and deletes the oldest data until it reaches the 80% threshold again. This information is also recorded in this report.

—

Misconfigured Supplicants

The Misconfigured Supplicants report provides a list of mis-configured supplicants along with the statistics due to failed attempts that are performed by a specific supplicant. If you have taken corrective actions and fix the mis-configured supplicant, the report displays fixed acknowledgement in the report.

Note RADIUS Suppression should be enabled to run this report.

—

Misconfigured NAS

The Misconfigured NAS report provides information about NADs with inaccurate accounting frequency typically when sending accounting information frequently. If you have taken corrective actions and fix the mis-configured NADs, the report displays fixed acknowledgment in the report.

Note RADIUS Suppression should be enabled to run this report.

—

Endpoints and Users

Client Provisioning

The Client Provisioning report indicates the client provisioning agents applied to particular endpoints. You can use this report to verify the policies applied to each endpoint to verify whether the endpoints have been correctly provisioned.

The Current Active Sessions report enables you to export a report with details about who was currently on the network within a specified time period.

If a user isn't getting network access, you can see whether the session is authenticated or terminated or if there is another problem with the session.

—

Guest Activity

The Guest Activity report provides details about the websites that guest users are visiting. You can use this report for security auditing purposes to demonstrate when guest users accessed the network and what they did on it.

You must also enable HTTP inspection on the network access device (NAD) used for guest traffic. This information is sent back to Cisco ISE by the NAD.

You can use this report to see which endpoints have been provisioned by the MDM server without logging into the MDM server directly. It also displays information such as registration and MDM-compliance status.

—

Posture Detail Assessment

The Posture Detail Assessment report provides details about posture compliancy for a particular endpoint. If an endpoint previously had network access and then suddenly was unable to access the network, you can use this report to determine if a posture violation occurred.